Multiple Cisco Products brstart sm_read_string_length Remote Code Execution

This script is Copyright (C) 2012 Tenable Network Security, Inc.


Synopsis :

The monitoring application hosted on the remote server has a remote
code execution vulnerability.

Description :

A flaw exists within the brstart.exe service, which listens by
default on TCP port 9002. When handling a specially crafted SMARTS
request the process extracts a user provided value to allocate a
buffer via sm_read_string_length then blindly copies user supplied
data into this buffer on the heap. A remote, unauthenticated attacker
can exploit this vulnerability to execute arbitrary code under the
context of the service.

Note that Cisco Unified Service Monitor prior to version 8.6, Cisco
Unified Operations Manager prior to version 8.6, and CiscoWorks LAN
Management Solution software releases 3.1, 3.2, and 4.0 are affected.

Also note that these Cisco products use a bundled EMC SMARTS
application server, in which the vulnerability resides. As such,
multiple EMC Ionix products (ESA-2011-029) are also affected, but they
are not checked by this plugin as they may have a different attack
vector.

See also :

http://www.cisco.com/en/US/products/csa/cisco-sa-20110914-lms.html
http://www.zerodayinitiative.com/advisories/ZDI-11-292/
http://www.nessus.org/u?b6ed88ce

Solution :

Upgrade to Cisco Unified Operations Manager 8.6 or later

Upgrade to Cisco Unified Service Monitor 8.6 or later

Apply patch and upgrade for CiscoWorks LAN Management Solution
releases 3.1, 3.2, and 4.0, with detailed instructions at
http://www.cisco.com/en/US/products/csa/cisco-sa-20110914-lms.html.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.4
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: Gain a shell remotely

Nessus Plugin ID: 58004 ()

Bugtraq ID: 49627
49644

CVE ID: CVE-2011-2738